Synopsis: IE blocks cookies from third-party iframes.
A few weeks ago, a client requested that we/I create an integration with an existing application they had been using. The functionality provided by the existing application duplicated the functionality we currently provide, but the client was adamant that they could not change their business process. So, we went down the road of “quick integration”.
Unfortunately, The only available integration option with the third-party application that filled our needs and met the client’s timeframe was via an embedded frame. Now, the third-party had bunches of available web service calls, but nothing that would provide the functionality the client desired.
Ok, all well and good. So, I whipped up the integration, tested locally, and pushed the code to production with a few hours to spare.
I was feeling pretty good about myself:
It wasn’t all that complicated, but it was a nice piece of development that was delivered on-time, included some back-end authentication/autologin via their web services, and had some extra goodies like a fairly detailed logging object. For bonus points, I was pretty sure that the framework within which I handled the whole process would be reusable for other iframe integration projects.
About a week later I got an urgent voicemail: “Nothing is working!”
Still confident, I fired up FF and was greeted by the functionality that I expected. Chome, Safari, no problem. IE8, IE9…same. Then I logged in using brand new credentials….FF, Chrome, Safari, all good. IE9…BAM! System Error.
After a few minutes debugging, it became clear that session variables were being dropped within the iframe. The answer, however, took longer to discover.
It turned out that when a new user attempted to view (requires an autologin) the iframe for the first time, I was storing a session variable from within the iframe (i.e. cookies). When I was previously testing the functionality it was using an already authenticated user, so there was no need to keep track of anything in the session.
At this point I had all the evidence I would need.
Internet Explorer + Iframe + 3rd party content + 3rd party cookies = ???
Basically, IE blocks cookies from third-party iframes.
- Go sessionless/cookieless inside the iframe
- Apply a P3P policy to the website within the iframe. (in this case, configure IIS to use P3P)
Previously, this problem would have seemed pretty obscure to me. However, in the last three months, I have implemented iframe integrations three times. Once, a piece of our application was embedded within another third-party application. For us, P3P was not the prefered option, so I created a sessionless solution. For the other two integrations, the third party had to implement a P3P.
A couple of useful articles I ran across in my investigation:
A couple more useful articles from Microsoft that provide some details.